Turning off client portal woes

xoo · October 15, 2021, 12:14am

Running on nginx with InvoiceNinja being the only virtual web site on this host, I have set REQUIRE_HTTPS=true and turned Client Portal off. If I go to https://invoice.example.com/client/ I rightfully get a “section turned off by admin”. If I instead go to https://192.168.10.10/client/ (where 193.168.10.10 is a placeholder for my real IP) I get a certificate warning, and after adding an exception I get to the client portal login page.

While I’m at it: Opening https://192.168.10.10/ gets me to the admin console. If I log in this way I end up in the admin console, I see my company in the company selector in the top left corner, but without the logo and I also don’t see the logo in Settings → Company Details → Logo. Seems like the logo is somehow tied to the URL. (If I log in the regular way via the hostname, the logo is still there.)

Granted, the IP-address-trick working means there is potential for improving the web servers config, but hey …

hillel · October 15, 2021, 4:56am

Hi,

Thanks for reporting this!

cc @david @ben

david · October 15, 2021, 6:09am

Yeh, I’m not sure there is much the app can do in this circumstance. We rely on a correctly configured webserver.

TechnicallyComputers · October 15, 2021, 5:12pm

My DNS service provides protection of my direct IP address automatically, so I cannot test this myself, but can you add to your NGINX conf file these lines, where invoice.example.com is your domain name:

 if ($host != "invoice.example.com") {
    return 301 https://invoice.example.com;
 }

If you add this line anywhere in the NGINX server block listening on 443, it should force redirect any attempted connections into using the specified domain for access, regardless of what addressing they used before.

Note that you must reset NGINX service after the change to the conf file with

 systemctl restart nginx

If you can please verify that it does work. I assume it will, and I’ve added it to my notes now.

xoo · October 18, 2021, 1:15am

This works, but:

statements are order dependent and need to go before any other rewriting of the URL (you observed that already in your guide),
if I try to reach the client portal I get redirected to the admin portal instead.

I’d suggest to use something more generic, like.

if ($host != $server_name) {
    return 301 https://$server_name$request_uri;
}

xoo · October 18, 2021, 1:28am

Hmm, I don’t want to be the wise guy, but if I set a switch “client portal off” I’d consider it a bug if an attacker can circumvent this setting by simple URL manipulation.

david · October 18, 2021, 1:56am

@xoo

You would be correct if Invoice Ninja was a single company service, however with Invoice Ninja , you can have ten companies under the one account. And we utilize the URL to assertain whether the client portal is on or off for the given company.

Hence if you server configuration allows access outside the bounds of the application, there isn’t much the application can do.